CVE-2026-42284

GitPython: Unsafe option check validates multi_options before shlex.split transforms it

CVSS 8.1 HIGHEPSS 0.6%CWE-88

Vexday Risk Score

41Attention

SSVC decision (CISA)

Attend

PoC available → attend closely

CVSS 8.1EPSS 0.6%KEV nãoPoC públicaNuclei —Metasploit —Patch —

Lifecycle

07 May 2026Published on NVD

Recommendation: Plan a near-term fix — a public PoC already exists.

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Affected products

gitpython-developers · GitPython

public PoCs found — 1

cve_referencewww.tenable.com/cve/CVE-2026-32686unverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47 https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485 https://www.tenable.com/cve/CVE-2026-32686